Windows Finger Is Exploited To Download Malware

As per a report, the malware actors are using Windows Finger command to download and install a malicious backdoor program on targeted computers.

Speaking about the Finger command, it’s a utility which is originated from Linux OS allowing user to retrieve a list of users on remote computer or to derive information about a specific remote user. Alike Linux, Windows also includes finger.exe command that offer users to achieve same functions.

In order to execute the Finger command on Windows, a user requires to enter finger [user]@[remote_host].

Back in september, it was reported that researchers have found a way to use finger as a LoLBin to download malware from a remote computer or exfiltrate required data. Technically, LoLBins are legit applications which can enable hackers to bypass security controls to download malware without throwing any alert on screen.

Usage of Finger command in an active malware campaign

Recently, a security researcher named Kirk Sayre found a phishing campaign with the use of Finger command to download MineBridge backdoor malware.

This was first reported by FireEye following he discovered a number of phishing campaigns which are set to target South Korean organizations. The emails received under these campaigns included malicious Word documents disguised as job application resumes, which if downloaded and installed, executed the ManBridge malware.

The phishing campaign discovered by Sayre also pretends to be resume of a job applicant like the ManBridge campaigns discovered by FireEye.

In such cases, if the victims end up clicking the “Enabled Editing” or “Enable Content” buttons, a password protected macro will be executed, that further downloads the MineBridge malware and execute it.

The deobfuscated command executed by the macro uses the finger command to download a Base64 encoded certificate from a remote server and saves the same as %AppData%\vUCooUr. The code can be seen in the image below.

The code technically retrieves a certificate via the finger command, and is a base64 encoded malware downloader. Further, the certificate is decoded using certutil.exe command, which is saved as %AppData%\vUCooUr.exe and then executed.

So, once the command is executed, the downloader downloads a TeamViewer executable and use DLL hijacking to sideload a malicious DLL file, which is named as MineBridge malware.

Following the malware is loaded, the remote hackers manage to gain full access to the computer and allow them to listen in via the infected device’s microphone and do more other malicious doings.

Since the Finger command is being rarely used these days, it’s well suggested to administrators to block this command on their network, either through using AppLocker or through other possible methods.